Skip to content

Update jquery and nodejs#24402

Merged
istio-testing merged 2 commits intoistio:release-1.6from
brian-avery:16JqueryNodejs
Jun 3, 2020
Merged

Update jquery and nodejs#24402
istio-testing merged 2 commits intoistio:release-1.6from
brian-avery:16JqueryNodejs

Conversation

@brian-avery
Copy link
Copy Markdown
Member

@brian-avery brian-avery commented Jun 3, 2020
edited
Loading

This is a manual cherry-pick of #24304

This updates the nodejs and jquery versions used in bookinfo. This is the master version of #24289

1.4, 1.5, and 1.6 are all based on bookinfo 1.15.0. Master advances to 1.16.0.

Testing done:

Manually tested that all three star versions show up when viewing the website
make test passes
No errors in the browser console.
Note that many tests expect the bookinfo images to already exist and the images do not get built in the pull request process. These tests will fail until the images exist.

This fixes:

NodeJS

  • CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
  • CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
  • CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.
  • CVE-2020-11080: HTTP/2 Large Settings Frame DoS
  • CVE-2020-10531: ICU-20958 Prevent SEGV_MAPERR in append
  • CVE-2020-81720: TLS session reuse can lead to host certificate verification bypass

jQuery

  • CVE-2016-9251 jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
  • CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
  • CVE-2020-11022: Potential XSS vulnerability in jQuery
  • CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption

@brian-avery brian-avery requested a review from a team June 3, 2020 18:57
@googlebot googlebot added the cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. label Jun 3, 2020
@istio-testing istio-testing added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jun 3, 2020
@brian-avery brian-avery added cherrypick/release-1.4 do-not-merge/hold Block automatic merging of a PR. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 3, 2020
@istio-testing istio-testing added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jun 3, 2020
@brian-avery
Copy link
Copy Markdown
Member Author

brian-avery commented Jun 3, 2020

Fixes #24393

@brian-avery brian-avery changed the title Add files from cherrypick Update jquery and nodejs Jun 3, 2020
jacob-delgado
jacob-delgado reviewed Jun 3, 2020
View reviewed changes
samples/bookinfo/platform/consul/bookinfo.yaml

reviews-v1:
image: istio/examples-bookinfo-reviews-v1:1.15.0
image: docker.io/istio/examples-bookinfo-reviews-v1:1.15.1
Copy link
Copy Markdown
Contributor

@jacob-delgado jacob-delgado Jun 3, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you don't need to have docker.io as that's the default, but it's fine to add it

Copy link
Copy Markdown
Member Author

@brian-avery brian-avery Jun 3, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost all of the files used docker.io with only this and one other as exceptions. I think it's ok to call it out.

@brian-avery brian-avery removed the do-not-merge/hold Block automatic merging of a PR. label Jun 3, 2020
@brian-avery
Copy link
Copy Markdown
Member Author

brian-avery commented Jun 3, 2020

/retest

@istio-testing istio-testing merged commit f07efb9 into istio:release-1.6 Jun 3, 2020
@istio-testing istio-testing mentioned this pull request Jun 3, 2020
Merged
@istio-testing
Copy link
Copy Markdown
Collaborator

istio-testing commented Jun 3, 2020

In response to a cherrypick label: new pull request created: #24406

@istio-testing
Copy link
Copy Markdown
Collaborator

istio-testing commented Jun 3, 2020

In response to a cherrypick label: new pull request created: #24407

@istio-testing istio-testing mentioned this pull request Jun 3, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jacob-delgado jacob-delgado jacob-delgado approved these changes

Assignees

No one assigned

Labels

cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@brian-avery @istio-testing @jacob-delgado @googlebot